Database

Browse Database

CHINA

Since August 2021, entry into force in October 2021
Since September 2021

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Provisions on Management of Automotive Data Security (Trial) (汽车数据安全管理若干规定(试行))

Notice on Strengthening Internet of Vehicle Cybersecurity and Data Security (工业和信息化部关于加强车联网网络安全和数据安全工作的通知)
According to Arts. 11 and 12 of the Provisions on Management of Automotive Data Security (Trial), important data must be stored domestically in compliance with legal requirements. If cross-border data transfer is necessary, security assessments must be conducted in coordination with the Cyberspace Administration of China and other relevant governmental authorities. In addition, the Management Provisions stipulate that vehicle data processors who provide important data to foreign entities must adhere strictly to the purpose, scope, method, type, and scale of data as specified in the security assessment. Data categorized as important includes video and image data captured outside of vehicles that contain facial information and personal information pertaining to 100,000 or more identified or identifiable vehicle owners, drivers, passengers, and individuals outside the vehicles.
Under Section 16 of the "Notice on Strengthening Internet of Vehicle (IoV) Cybersecurity and Data Security," manufacturers of Intelligent Connected Vehicles and operators of IoV service platforms are required to conduct a security assessment for cross-border data transfers if they intend to provide important data abroad.
Coverage Automotive sector

CHINA

Since December 2022, entry into force in January 2023

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Measures for Data Security Management in the Fields of Industry and Information Technology (Trial) (工业和信息化领域数据安全管理办法(试行))
Under Art. 21 of the "Measures for Data Security Management in the Fields of Industry and Information Technology," key data and core data generated and collected by data handlers in the fields of industry and information technology within the territory of China must be stored in China. Should the data need to be transferred abroad, a data cross-border transfer security assessment must be conducted in accordance with relevant laws and regulations. Without the approval of the Ministry of Industry and Information Technology, data handlers in the fields of industry and information technology are prohibited from providing foreign industrial, telecommunication, and radio law enforcement agencies with data in these fields that is stored within the territory of China.
Coverage Industry and information technology

CHINA

Since September 2025

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Cybersecurity Standard Practice Guide - Data Security Requirements for Academic and Technological Service Platforms (网络安全标准实践指南-学术科技服务平台数据安全要求)
Section 4.2 of "Data Security Requirements for Academic and Technological Service Platforms" stipulates that, when operators of academic and scientific service platforms undertake data storage activities, they must adhere to the requirement that any non-public academic or scientific data collected or generated within the national territory shall be stored domestically.
Coverage Operators of academic and scientific service platforms

CHINA

Since January 2006, entry into force in March 2006

Pillar Cross-border data policies  |  Indicator Infrastructure requirement
Measures for the Administration of Electronic Banking Business (电子银行业务管理办法)
Art. 10 of the Measures for the Administration of Electronic Banking Business stipulates that Chinese-funded banking financial institutions must ensure that their electronic banking operation systems and business processing servers are established within the territory of the People’s Republic of China, whereas foreign-funded financial institutions may deploy such systems either domestically or abroad, provided that, when located outside China, they maintain facilities within the country capable of recording and preserving transaction data, satisfying on-site inspection requirements of financial regulators, and enabling compliance with judicial investigations in the event of legal disputes.
Coverage Financial sector

CHINA

Since December 2015, entry into force in July 2016

Pillar Cross-border data policies  |  Indicator Infrastructure requirement
Announcement No. 43 [2015] of the People's Bank of China - Administrative Measures for the Online Payment Business of Non-Banking Payment Institutions (中国人民银行公告〔2015〕第 43 号 - 非银行支付机构网络支付业务管理办法)
Art. 26 of the "Administrative Measures for the Online Payment Business of Non-Banking Payment Institutions" requires payment institutions to maintain secure and standardised online payment processing systems and their backup systems within the territory of China, supported by contingency plans to ensure operational continuity. It further provides that services for domestic transactions must be processed through these domestic systems and that the settlement of funds must also occur within China.
Coverage Payment institutions

CHINA

Since February 2016

Pillar Cross-border data policies  |  Indicator Infrastructure requirement
Online Publishing Service Management Rules (网络出版服务管理规定)
Arts. 8 and 9 of the Online Publishing Service Management Rules mandate that the servers and storage equipment of online publishers must be situated within the borders of China.
Coverage Online publishers

CHINA

Since August 2017

Pillar Cross-border data policies  |  Indicator Infrastructure requirement
Guiding Opinions on Encouraging and Regulating the Development of Internet Rental Bicycles (交通运输部等10部门关于鼓励和规范互联网 租赁自行车发展的指导意见)
According to Section 13 of the Guiding Opinions on Encouraging and Regulating the Development of Internet Rental Bicycles, companies offering internet-based bicycle rental services are required to establish domestic servers and store operational data collected within China.
Coverage Internet rental bicycle services

CHINA

Since May 2024, entry into force in October 2024

Pillar Cross-border data policies  |  Indicator Infrastructure requirement
Interim Measures for Data Security Management of Accounting Firms (财政部 国家网信办关于印发《会计师事务所数据安全管理暂行办法》的通知)
Art. 13 of the "Interim Measures for Data Security Management of Accounting Firms" mandates that audit working papers produced by accounting firms must be stored within the territory of the People's Republic of China, in accordance with relevant regulations. Encryption devices are required to be installed domestically, managed and maintained by local teams, with encryption keys likewise retained within national borders. Pursuant to Art. 19, any transfer of audit working papers abroad must receive prior approval, and accounting firms are obliged to establish a tiered review mechanism governing such exports, alongside implementing comprehensive responsibilities for data security management and control. In addition, in accordance with Art. 14, accounting firms must establish a data backup system to ensure the continued access, retrieval, and use of relevant audit working papers in the event of disruption or restriction to audit-related application systems due to external technical factors.
Coverage Accounting firms

CHINA

Since October 2020

Pillar Cross-border data policies  |  Indicator Conditional flow regime
Amendment to the Information Security Technology – Personal Information Security Specification (GB/T 35273-2020) (信息安全技术-个人信息安全规范》(GB/T 35273-2020)修正案)
Section 9.2.i of the "Amendment to the Information Security Technology – Personal Information Security Specification" provides that where personal biometric information must not be shared or transferred unless actually essential for business needs, in which case the personal information subject must be separately informed of the purpose, types of biometrics involved, identification of the recipient and its data security capacity and the personal information subject consent must be explicitly obtained.
Coverage Horizontal
Sources

CHINA

Since August 2021, entry into force in November 2021
Since March 2024

Pillar Cross-border data policies  |  Indicator Conditional flow regime
Personal Information Protection Law of the People's Republic of China (中华人民共和国个人信息保护法)

Provisions on Promoting and Regulating the Cross-Border Flow of Data (促进和规范数据跨境流动规定)
Under Art. 40 of the Personal Information Protection Law (PIPL), personal information handlers who process personal data exceeding the thresholds stipulated by regulatory authorities, as well as operators of critical information infrastructure, are required to store the personal information they collect and generate within the territory of China. If it is genuinely necessary for a personal information handler to transfer personal information abroad, specific regulatory requirements must be satisfied. In accordance with Art. 38 of the PIPL and Arts. 7 and 8 of the Provisions on Promoting and Regulating the Cross-Border Flow of Data, personal information handlers seeking to provide or transfer personal data outside of China must meet one of the following conditions:
1. Obtain approval through a security assessment conducted by the Cyberspace Administration of China (CAC), applicable if any of the following criteria are met: the handler is a critical information infrastructure operator; the handler (not classified as a critical information infrastructure operator) has, since 1 January of the current year, cumulatively provided the personal information of 1,000,000 individuals or sensitive personal information of 10,000 individuals to overseas recipients; the handler seeks to transfer personal information classified as important data or otherwise containing important data outside China.
2. Satisfy requirements through either of the following mechanisms: enter into the standard contract formulated by the CAC with the overseas data recipient; or obtain personal information protection certification from professional institutions in accordance with CAC rules. This applies when the handler is not a critical information infrastructure operator; or intends to transfer non-sensitive personal information of more than 100,000 but less than 1,000,000 individuals, or sensitive personal information of fewer than 10,000 individuals, on a cumulative basis, since 1 January of the current year.
Notwithstanding the above requirements, the outbound transfer of personal information, excluding important data, is exempt from these provisions under Arts. 3, 4, and 5 of the Provisions if the transfer arises from the following circumstances:
- International trade, cross-border transportation, academic collaboration, transnational manufacturing, marketing, or similar activities that do not involve personal or important data.
- Exporting personal information collected or generated outside China and then processed in China, provided no domestic personal information collected within China is included.
- Transfers necessary for the performance of contracts involving the data subject, such as cross-border shopping, payments, travel bookings, visa applications, or similar services.
- Employee-related data transfers for implementing human resources management under employment policies or collective labour agreements.
- Transfers required to protect the life, health, or property security of individuals in emergencies.
- Transfers involving non-sensitive personal information of fewer than 100,000 individuals on a cumulative basis by handlers who are not critical information infrastructure operators since 1 January of the current year.
Additionally, Arts. 38, 39, 41, 53, and 55 of the PIPL impose further obligations on personal information handlers seeking to transfer personal data outside China, including:
- Demonstrating a legitimate business or operational need for the cross-border transfer.
- Implementing measures to ensure that overseas recipients process the data in compliance with the protection standards set out in the PIPL.
- Providing adequate prior notification to individuals and obtaining their explicit consent.
- Securing approval from the relevant Chinese authorities for transfers to foreign judicial or law enforcement agencies.
- Establishing local representatives or agencies within China for overseas recipients who do not have a local entity and are classified as personal information handlers outside Mainland China.
- Conducting a personal information protection impact assessment before initiating a cross-border transfer.
Coverage Horizontal

CHINA

Since July 2015

Pillar Intellectual Property Rights (IPRs)  |  Indicator Mandatory disclosure of business trade secrets such as algorithms or source code
National Security Law of the People's Republic of China (中华人民国国家安全法)
According to Art. 25 of the Chinese government’s 2015 National Security Law, all information systems in China must be "secure and controllable". As a result of this policy, it is reported that every company operating in China – whether domestic or foreign – is required to provide the Chinese government with access to its source code, encryption keys, and backdoor access to their computer networks in China.
Coverage Horizontal

CHINA

Since November 2016, entry into force in June 2017, last amended in October 2025
Since March 2024

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Cybersecurity Law of the People's Republic of China (中华人民共和国网络安全法)

Provisions on Promoting and Regulating the Cross-Border Flow of Data (促进和规范数据跨境流动规定)
Art. 39 of the Cybersecurity Law requires that personal information and important data collected or generated by operators of critical information infrastructure within mainland China be stored domestically, and allows their transfer abroad only when genuinely necessary for business purposes and subject to a security assessment conducted in accordance with measures issued jointly by the national cybersecurity and informatization authority and relevant State Council departments, unless other laws provide otherwise. Art. 33 defines critical information infrastructure to include sectors such as public communications and information services, energy, transport, water, finance, public services, and e‑government, as well as any infrastructure whose damage, loss of function, or data leakage could seriously endanger national security, public welfare, or the public interest. Art. 7 of the Provisions on Promoting and Regulating the Cross-Border Flow of Data requires data handlers to apply for a data export security assessment when critical information infrastructure operators export personal information or important data, but Art. 5 exempts certain transfers of personal information, though not important data, where the transfer is genuinely necessary for the performance of a contract, for lawful cross-border human resources management, or for emergency protection of life, health, or property. Art. 10 obliges data handlers exporting personal information to provide notice, obtain separate consent, and conduct a personal information protection impact assessment, and Art. 11 further requires them to fulfil data security obligations and adopt technical and other necessary measures to ensure the security of exported data.
Coverage Critical information infrastructure operators

CHINA

Since September 1993, entry into force in December 1993, last amended in 2025
Since November 1995, last amended in December 1998

Pillar Intellectual Property Rights (IPRs)  |  Indicator Effective protection covering trade secrets
Law Against Unfair Competition of the People's Republic of China (中华人民共和国反不正当竞争法)

Provisions on Prohibiting Infringement of Trade Secrets (關於禁止侵犯商業秘密行為的若干規定)
The Law Against Unfair Competition of the People’s Republic of China and the Provisions on Prohibiting Infringement of Trade Secrets constitute an effective legal framework for the protection of trade secrets. In addition to these two primary instruments, the broader system governing undisclosed information and trade secrets is further supported by the Administrative Licensing Law, the Criminal Law, the Labour Law and other relevant legislation.
Despite the existence of this framework, reports indicate that significant enforcement challenges persist. These challenges include stringent evidentiary requirements, limited opportunities for discovery and difficulties in meeting the demanding conditions necessary to enforce agreements intended to safeguard trade secrets and confidential business information from misappropriation. Stakeholders also observe that securing damages awards at levels sufficient to deter infringement remains difficult. Furthermore, there are continuing concerns about the risk of unauthorised disclosure of trade secrets and confidential information by government officials and third‑party experts. This issue is considered particularly acute in sectors such as software.
Coverage Horizontal

CHINA

Since April 2018

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Measures for the Management of Scientific Data (科学数据管理办法)
According to Art. 13 of the "Measures for the Management of Scientific Data," any scientific data generated within the framework of a project supported by Chinese public funds must be collected by the entity responsible for the research project and subsequently submitted to the relevant designated scientific data centre, as specified by the Ministry of Science and Technology, for archiving and processing. Art. 14 stipulates that when scientific data produced within the framework of a project funded by Chinese public funds is to be disseminated outside China for the purpose of producing an academic paper to be published in a foreign journal, the data must first be submitted to the Chinese research institute where the author is employed. The institute’s management must approve the data before the paper can be published. The Measures also impose general obligations applicable to all scientific data, irrespective of whether they are funded by the Chinese government. Specifically, Art. 26 states that if it is necessary to provide a foreign party with scientific data related to state secrets in the context of international collaboration, the transfer of such data is subject to approval by the relevant authorities and the signing of confidentiality agreements between the parties involved in the research.
Coverage Horizontal

CHINA

Reported in 2017, last reported in 2025

Pillar Telecom infrastructure & competition  |  Indicator Passive infrastructure sharing obligation
Requirement of passive infrastructure sharing
It is reported that there is an obligation for passive infrastructure sharing in China to deliver telecom services to end users. Moreover, passive infrastructure sharing is practised in both the mobile and fixed sectors based on commercial agreements.
Coverage Telecommunications sector

Report issue     Report new measure